Add a keyword for a rule

author: jvoisin 2020-10-01 15:59:14 +0200
committer: jvoisin 2020-10-01 15:59:14 +0200
commit: 645ce0a43ff258599498e58d2c2d0fe5797f5ee3 (patch)
tree: 68433ffa45eac0c0d281e16c88398524c584b6a1
parent: 72b929d82e76286cf9d90629e544c7472bb6974f (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/php-malware-finder/php.yar b/php-malware-finder/php.yar
index dab8cbf..4470e1b 100644
--- a/php-malware-finder/php.yar
+++ b/php-malware-finder/php.yar
@@ -84,7 +84,7 @@ rule DodgyPhp
        $basedir_bypass2 = "file:file:///" // https://www.intelligentexploit.com/view-details.html?id=8719
        $disable_magic_quotes = /set_magic_quotes_runtime\s*\(\s*0/ nocase
-        $execution = /\b(eval|assert|passthru|exec|include|system|pcntl_exec|shell_exec|base64_decode|`|array_map|ob_start|call_user_func(_array)?)\s*\(\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST|COOKIE|SERVER))/ nocase  // function that takes a callback as 1st parameter
+        $execution = /\b(popen|eval|assert|passthru|exec|include|system|pcntl_exec|shell_exec|base64_decode|`|array_map|ob_start|call_user_func(_array)?)\s*\(\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST|COOKIE|SERVER))/ nocase  // function that takes a callback as 1st parameter
        $execution2 = /\b(array_filter|array_reduce|array_walk(_recursive)?|array_walk|assert_options|uasort|uksort|usort|preg_replace_callback|iterator_apply)\s*\(\s*[^,]+,\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST|COOKIE|SERVER))/ nocase  // functions that takes a callback as 2nd parameter
        $execution3 = /\b(array_(diff|intersect)_u(key|assoc)|array_udiff)\s*\(\s*([^,]+\s*,?)+\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST|COOKIE|SERVER))\s*\[[^]]+\]\s*\)+\s*;/ nocase  // functions that takes a callback as 2nd parameter
author	jvoisin	2020-10-01 15:59:14 +0200
committer	jvoisin	2020-10-01 15:59:14 +0200
commit	645ce0a43ff258599498e58d2c2d0fe5797f5ee3 (patch)
tree	68433ffa45eac0c0d281e16c88398524c584b6a1
parent	72b929d82e76286cf9d90629e544c7472bb6974f (diff)

diff --git a/php-malware-finder/php.yar b/php-malware-finder/php.yar index dab8cbf..4470e1b 100644 --- a/php-malware-finder/php.yar +++ b/php-malware-finder/php.yar
@@ -84,7 +84,7 @@ rule DodgyPhp
84	$basedir_bypass2 = "file:file:///" // https://www.intelligentexploit.com/view-details.html?id=8719	84	$basedir_bypass2 = "file:file:///" // https://www.intelligentexploit.com/view-details.html?id=8719
85	$disable_magic_quotes = /set_magic_quotes_runtime\s\(\s0/ nocase	85	$disable_magic_quotes = /set_magic_quotes_runtime\s\(\s0/ nocase
86		86
87	$execution = /\b(eval\|assert\|passthru\|exec\|include\|system\|pcntl_exec\|shell_exec\|base64_decode\|`\|array_map\|ob_start\|call_user_func(_array)?)\s\(\s(base64_decode\|php:\/\/input\|str_rot13\|gz(inflate\|uncompress)\|getenv\|pack\|\\?\$_(GET\|REQUEST\|POST\|COOKIE\|SERVER))/ nocase // function that takes a callback as 1st parameter	87	$execution = /\b(popen\|eval\|assert\|passthru\|exec\|include\|system\|pcntl_exec\|shell_exec\|base64_decode\|`\|array_map\|ob_start\|call_user_func(_array)?)\s\(\s(base64_decode\|php:\/\/input\|str_rot13\|gz(inflate\|uncompress)\|getenv\|pack\|\\?\$_(GET\|REQUEST\|POST\|COOKIE\|SERVER))/ nocase // function that takes a callback as 1st parameter
88	$execution2 = /\b(array_filter\|array_reduce\|array_walk(_recursive)?\|array_walk\|assert_options\|uasort\|uksort\|usort\|preg_replace_callback\|iterator_apply)\s\(\s[^,]+,\s*(base64_decode\|php:\/\/input\|str_rot13\|gz(inflate\|uncompress)\|getenv\|pack\|\\?\$_(GET\|REQUEST\|POST\|COOKIE\|SERVER))/ nocase // functions that takes a callback as 2nd parameter	88	$execution2 = /\b(array_filter\|array_reduce\|array_walk(_recursive)?\|array_walk\|assert_options\|uasort\|uksort\|usort\|preg_replace_callback\|iterator_apply)\s\(\s[^,]+,\s*(base64_decode\|php:\/\/input\|str_rot13\|gz(inflate\|uncompress)\|getenv\|pack\|\\?\$_(GET\|REQUEST\|POST\|COOKIE\|SERVER))/ nocase // functions that takes a callback as 2nd parameter
89	$execution3 = /\b(array_(diff\|intersect)_u(key\|assoc)\|array_udiff)\s\(\s([^,]+\s,?)+\s(base64_decode\|php:\/\/input\|str_rot13\|gz(inflate\|uncompress)\|getenv\|pack\|\\?\$_(GET\|REQUEST\|POST\|COOKIE\|SERVER))\s\[[^]]+\]\s\)+\s*;/ nocase // functions that takes a callback as 2nd parameter	89	$execution3 = /\b(array_(diff\|intersect)_u(key\|assoc)\|array_udiff)\s\(\s([^,]+\s,?)+\s(base64_decode\|php:\/\/input\|str_rot13\|gz(inflate\|uncompress)\|getenv\|pack\|\\?\$_(GET\|REQUEST\|POST\|COOKIE\|SERVER))\s\[[^]]+\]\s\)+\s*;/ nocase // functions that takes a callback as 2nd parameter
90		90